Add WAF bypass payloads for Rails CVE-2019-5418
infosec-au opened this issue · 3 comments
infosec-au commented
Some research dropped from the awesome folk at PentesterLabs regarding this rails bug: https://blog.pentesterlab.com/cve-2019-5418-on-waf-bypass-and-caching-10e93f9a1981
They highlighted that the Dir
method in Ruby relies on a glob
. Globs accept a wide range of chars that can ultimately be used to our advantage to bypass WAFs. Example taken from their blog post:
> Dir["/etc/passwd"].uniq
=> ["/etc/passwd"]
> Dir["/etc/p*ss*d"].uniq
=> ["/etc/passwd"]
> Dir["/e*c/p*ss*d"].uniq
=> ["/etc/passwd"]
> Dir["/e?c/p*ss[w|z]d"].uniq
=> ["/etc/passwd"]
Should we make the current payload include glob characters by default? Or should we have a list of payloads? Thoughts? Happy to send a PR.
albinowax commented
Changing the existing payload would make most sense. Do you have access to a lab to make sure it still works afterwards?
infosec-au commented
I'll spin up a lab, test it, and send through a PR. Thanks.
albinowax commented
Merged, thanks!